On May 25th, 2018, when the European Union’s General Data Protection Regulation (GDPR) comes into effect the world will take a big step towards enforcing more stringent, water-tight privacy and data protection laws. A flagship piece of legislation, it will pave the way for better data protection practices by putting it at the forefront of business agendas worldwide and establishing one single set of data protection rules across the Europe Union. While the law will impact EU-based businesses, no organization that operates globally or collects data from a European citizen will stay unaffected either. Compliance is mandatory, and the penalties are severe. Therefore, it is essential that businesses start taking the appropriate steps to get GDPR-ready sooner than later.
The first step towards compliance is understanding the law itself. So let’s begin with taking a closer look at the highlights of this soon-to-be-enforced law.
GDPR Replaces the Current Data Protection Directive
It took the European Union (EU) four years of intense debate and deliberations to replace the two-decade-old legislation, the Data Protection Directive 95/46/EC. The current legislation was open to interpretation by individual countries in the EU. Therefore each member state that operated under the 1995 data protection regulation had its national laws regarding data protection. GDPR will end that. Designed to protect personal data and privacy of EU citizens for transactions within the 28 EU member states, the GDPR will also regulate the exportation of personal data outside the EU. This calls for all organizations that operate out of the EU, but markets their products to European citizens, or monitors the behavior of people in the EU, to be GDPR-ready by the end of May 2018. In other words, if you collect or plan to collect data from individuals in Europe (regardless of your business location), you’ll have to “implement appropriate technical and organizational measures” to become compliant before May 25th.
Main Elements of GDPR
The GDPR itself contains 11 chapters and 99 articles in total. It specifies the principles regarding personal data processing, the lawfulness of personal data processing, and the conditions for consent regarding personal data processing (including consent of children). It also sets down conditions for the processing of special categories of personal data (sensitive data, genetic data, and biometric data) and processing of personal data in relationship with criminal convictions and offenses. If you want to details on the topics covered in each chapter, you can visit the official GDPR site. However, as a useful summary, here are some of the key elements of this law that we have sourced from the official PDF of the General Data Protection Regulation:
Consent: GDPR makes consent a bit closer to being genuine consent. It must be “freely given,” and organizations must be able to clearly show how and when they obtained this consent.
Right to be informed: When an organization requests an individual for data, they will have to provide, in clearly, and free of charge information regarding its identity, contact details, the purpose that they’re collecting data for, how the information will be used, how long the data will be stored for, and whether the data will be transferred internationally.
Right of access: This gives individuals or data subjects the ability to request and access information from an organization about how their data is being processed. If they request for details, the organization must be able to provide a copy of the information free of charge within one month. However, the organization can charge a ‘reasonable fee’ if a request is found to be unfounded, excessive, or repetitive.
Right to rectification: If an individual demands that inaccurate information that has been collected from them is corrected by an organization, the latter has to comply without delay.
Right to erasure: If an individual withdraws consent, they can tell the company to stop using their personal data once they close their accounts. This is an extension of the “right to be forgotten” that existed earlier. If the data is no longer required for the reasons for which it was collected, the company will need to erase it. There are extra requirements when the request for erasure relates to children’s personal data. The law does list some conditions when some organizations can keep data for a longer period. In addition, GDPR makes exceptions for instances where the data is being processed to serve the public interest.
Right to restrict processing: Individuals have a right to ‘block’ or suppress processing of personal data if they think it is inaccurate or has been procured unlawfully. The organization is bound to verify the accuracy of the data or restrict usage as required. Also, the organization has to inform the individual once the restriction on the processing is lifted.
Right to data portability: This allows an individual to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
Right to object: If an individual requests to know whether their data is being processed for the benefit of public interest or other “legitimate” interests, an organization will have to demonstrate compelling grounds for processing in the name of these interests. This section also gives individuals the right to restrict the processing of their data for direct marketing.
Controller and Processor: GDPR defines their role and responsibilities in detail. It considers the controller as the principal party for responsibilities such as collecting consent for gathering or storing an individual’s data, managing consent-revoking, enabling the right to access, etc. The processor, on the other hand, could be a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller. Both controller and processor must keep detailed records of their data, and provide them to the “supervisory authority” upon request. The GDPR also lays down conditions about how contractual relationships between controllers and processors must be constructed to ensure compliance.
Data Protection Officer (DPO): In some cases, an organization may need to appoint a Data Protection Officer who will advise the controller or processor and data processing employees on GDPR requirements, train staff in privacy practice, monitor compliance in processing operations, and more.
Notification of a data breach: Organizations have to report any security breach “leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.” If there is a personal data breach, the company must notify the appropriate supervisory authority within 72 hours of becoming aware of it.
Fines and Penalties: GDPR gives individuals better control over their personal data. It will also levy harsh penalties on any business that flouts its data privacy regulations. In fact, one of the biggest, and most talked about elements of the GDPR is the penalties involved in non-compliance and violation. Let’s discuss them in detail.
GDPR Fines and Penalties
These are much larger than the penalties levied now. Under the GRDP, if an organization doesn’t process an individual’s data in the correct way, it can be fined. If it requires, but doesn’t have a Data Protection Officer, it can be fined. If there’s a security breach, it can be fined. However, the regulators do mention that they will more lenient with companies that have shown an awareness of the GDPR and tried to implement it when compared to those that haven’t made an effort at all.
A company that is found to be non-compliant or violating its record-keeping, security, breach notification, and privacy impact assessment obligations will be fined €10 million or 2% of its global gross turnover, whichever is greater.
A company that violates obligations related to the legal justification for processing, lack of consent, data subject rights and cross-border data transfers, will have to shell out double, in the form of €20 million or 4% of its total global gross turnover.
In other words, the days of flouting local privacy laws and shrugging of smaller fines are over! It will be vital that companies take appropriate technical and organizational measures to detect, handle and report a violation.
More detailed information on the GDPR (source EU Commission)
Read our FAQ on the GDPR